[原文]The Pseudo-Random Number Generator (PRNG) in SSLeay and OpenSSL before 0.9.6b allows attackers to use the output of small PRNG requests to determine the internal state information, which could be used by attackers to predict future pseudo-random numbers.

-
漏洞描述

The pseudo-random number generator (PRNG) in OpenSSL contains a cryptographic design error, such that retrieving the output of a few hundred consecutive short PRNG requests enables attacker prediction of PRNG internal state. In turn, this allows the attacker to predict the subsequent PRNG output, significantly weakening the strength of the encryption. This problem originated in SSLeay and its derivative toolkits, of which OpenSSL is one.

-
时间线

公开日期:
2001-07-10

发现日期:
Unknow

利用日期:Unknow

解决日期:Unknow

-
解决方案

Upgrade to version 0.9.6b or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by applying the vendor-supplied patch for versions of OpenSSL from 0.9.5 to 0.9.6a. Versions prior to 0.9.5 must upgrade.